New Firefox Version Fixes 8 Security Holes

Mozilla on Tuesday released updates to fix at least eight security vulnerabilities in its Firefox Web browser and related software. Five of the eight flaws received a "critical" label, meaning that an attacker could exploit them to break into machines running vulnerable versions of the software.

Patches are available for both the 1.5.x and 2.x versions of Firefox, each of which should automatically alert you when the updates are ready for installation. Users also can install updates by clicking on "Help" then "Check for Updates." Some of the same updates also are available Mozilla's Thunderbird e-mail client, and its Seamonkey Internet suite.

Dan Veditz, a member of Mozilla's security team, said the team members thought they had a fix for the password manager flaw ready a week ago Friday, but later learned that it really didn't solve the problem. He said Mozilla currently plans to ship a fix for the problem in January.

"It made the password manager pretty unusable," Veditz said. "It required a format change to the password manager file to store additional information, and doing that ran the risk of losing peoples' passwords, so we were very uncomfortable rushing it in and decided to hold off a bit."

One final note: If you're using a version of Firefox prior to 1.5 (see "Help," "About Firefox" to view the version number), then it's time to install Firefox 2.0. Mozilla long ago stopped supporting or shipping patches for any Firefox versions that begin with 1.0.